vcl 4.0;

import std;
import directors;

#
# These nets/machines are allowed /repo access
#
acl repoallowed {
  "10.16.0.0"/24;
}

acl purge {
  "127.0.0.1"/32;
}
backend kojipkgs01 {
    .host = "kojipkgs01.phx2.fedoraproject.org";
    .probe = {
        .url = "/";
        .timeout = 1s;
        .interval = 5s;
        .window = 5;
        .threshold = 3;
    }
}

backend kojipkgs02 {
    .host = "kojipkgs02.phx2.fedoraproject.org";
    .probe = {
        .url = "/";
        .timeout = 1s;
        .interval = 5s;
        .window = 5;
        .threshold = 3;
    }
}

sub vcl_init {
    new primarykojipkgs = directors.round_robin();
    primarykojipkgs.add_backend(kojipkgs01);
    primarykojipkgs.add_backend(kojipkgs02);
}

sub vcl_recv {
    # This gets arround the silly, ::1 that Apache adds on the proxies (still need to look at that)
    set req.http.X-Forwarded-For = regsub(req.http.X-Forwarded-For, "^([a-f0-9:.]+), .+$", "\1");

    set req.backend_hint = primarykojipkgs.backend();
    unset req.http.cookie;
    set req.http.clear-cookies = "yes";

    if (req.method == "PURGE") {
        if (!client.ip ~ purge) {
            return (synth(405, "Not allowed"));
        }
        return(purge);
    }

    if (req.url ~ "^/repo/" && !(std.ip(req.http.X-Forwarded-For, "0.0.0.0") ~ repoallowed)) {
        return(synth(403, "Access denied."));
    }
    if (req.url ~ "^/mash/") {
        return (pipe);
    }
    if (req.url ~ "^/compose/") {
        return (pipe);
    }
    if (req.url ~ "h264") {
        return (pipe);
    }
    return (hash);
}
